Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Web encryption and certificates the importance of SSL/TLS

Understand how encryption is used to to protect web traffic over the insecure network.

This video explains what web encryption including the terminology of SSL, TLS and HTTPS. TLS being the current version of encryption technology used to keep data safe.

Through encryption data from the user and webserver is converted into cipher text, which cannot be understood except by the intended recipient. This is the basics of encryption which is explained in my earlier videos on cryptography.

Hybrid Cryptography

This uses the concept of hybrid encryption. The client and server first use asymmetric (public-private key) encryption to communicate. This uses the web certificate from the server which makes it's public key available. During the TLS hand-shake the client then generates a symmetric encryption key (also known as a shared key), which it can share securely with the server using the servers public key. Once the shared key is known by both parties then they can use that instead as it is faster and requires less processing power. The TLS hand-shake is shown below.

TLS handshake used for web encryption

Benefits of web encryption

Encryption can protect usernames and passwords from being captured by an attacker. This is essential if you are using logins on your website.

Encryption can protect data being sent by the user (eg. credit card information) and also protect against someone manipulating data sent to the end user through a "man-in-the-middle" (or meet-in-the-middle) attack.

Encryption can also help provide some element of privacy. It does not hide which server you are visting, just the pages that are visited and any data transferred. It does not hide you from the web server. For these you would need some kind of anonymiser such as using the TOR browser.

Web certificate padlocks do not make you safe!

Just because a website has encryption and shows the padlock icon in your browser does not mean that it is a safe website. It just means that the data between you and the server is encrypted protecting the traffic across the network. It's still possible that the website you visit has dangerous content etc.

Different web certificates

Web certificates can be grouped into the following three types (although there are variations of these):

  • Domain validated certificates (DV) - Validated based on domain name ownership
  • Organisation validated certificates (OV) - Organisation name is checked
  • Extended validation (validated) certificates (EV) - Extensive validation including legal entity

The higher the level of vetting the more likely it is that the website can be trusted, although diligence is still needed.

More information on cryptography

For more details about how cryptography and encryption see the following guides:

Previous Introduction to Cryptography
Introduction to Cryptography
Next Wireshark and HTTPS
Wireshark and HTTPS